Merge pull request #9368 from lafirest/fix/allow_absent_exp

fix(JWT): make the `exp` to be optional claim
2022-11-15 22:10:15 +08:00 · 2022-11-15 22:10:15 +08:00 · ff00a6716a
parent 56d443d19a 0b9f4e70cf
commit ff00a6716a
4 changed files with 50 additions and 2 deletions
--- a/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl
+++ b/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl
@ -365,11 +365,11 @@ verify(JWT, JWKs, VerifyClaims, AclClaimName) ->
 acl(Claims, AclClaimName) ->
    Acl =
        case Claims of
-            #{<<"exp">> := Expire, AclClaimName := Rules} ->
+            #{AclClaimName := Rules} ->
                #{
                    acl => #{
                        rules => Rules,
-                        expire => Expire
+                        expire => maps:get(<<"exp">>, Claims, undefined)
                    }
                };
            _ ->
--- a/apps/emqx_authz/test/emqx_authz_jwt_SUITE.erl
+++ b/apps/emqx_authz/test/emqx_authz_jwt_SUITE.erl
@ -305,6 +305,50 @@ t_check_expire(_Config) ->

    ok = emqtt:disconnect(C).

+t_check_no_expire(_Config) ->
+    Payload = #{
+        <<"username">> => <<"username">>,
+        <<"acl">> => #{<<"sub">> => [<<"a/b">>]}
+    },
+
+    JWT = generate_jws(Payload),
+
+    {ok, C} = emqtt:start_link(
+        [
+            {clean_start, true},
+            {proto_ver, v5},
+            {clientid, <<"clientid">>},
+            {username, <<"username">>},
+            {password, JWT}
+        ]
+    ),
+    {ok, _} = emqtt:connect(C),
+    ?assertMatch(
+        {ok, #{}, [0]},
+        emqtt:subscribe(C, <<"a/b">>, 0)
+    ),
+
+    ?assertMatch(
+        {ok, #{}, [0]},
+        emqtt:unsubscribe(C, <<"a/b">>)
+    ),
+
+    ok = emqtt:disconnect(C).
+
+t_check_undefined_expire(_Config) ->
+    Acl = #{expire => undefined, rules => #{<<"sub">> => [<<"a/b">>]}},
+    Client = #{acl => Acl},
+
+    ?assertMatch(
+        {matched, allow},
+        emqx_authz_client_info:authorize(Client, subscribe, <<"a/b">>, undefined)
+    ),
+
+    ?assertMatch(
+        {matched, deny},
+        emqx_authz_client_info:authorize(Client, subscribe, <<"a/bar">>, undefined)
+    ).
+
 %%------------------------------------------------------------------------------
 %% Helpers
 %%------------------------------------------------------------------------------
--- a/changes/v5.0.11-en.md
+++ b/changes/v5.0.11-en.md
@ -10,3 +10,5 @@
 ## Bug fixes

 - Return 404 for status of unknown authenticator in `/authenticator/{id}/status` [#9328](https://github.com/emqx/emqx/pull/9328).
+
+- Fix that JWT ACL rules are only applied if an `exp` claim is set [#9368](https://github.com/emqx/emqx/pull/9368).
--- a/changes/v5.0.11-zh.md
+++ b/changes/v5.0.11-zh.md
@ -10,3 +10,5 @@
 ## 修复

 - 通过 `/authenticator/{id}/status` 请求未知认证器的状态时，将会返回 404。
+
+- 修复 JWT ACL 规则只在设置了超期时间时才生效的问题 [#9368](https://github.com/emqx/emqx/pull/9368)。